As far as I know, even if you send md5 hashed password over an http connection, an hacker could intercept it and remove the javascript md5 function on the client side (with Chrome it's really easy)....